Fine Grained Access Control Strategies

    There are two strategies for adopting a Fine Grained Access Control mechanism.

     

    1. Access Control Lists (ACL)
    2. Rules based approach

     

    1. Access Control Lists

    This is a very proprietary approach.  For more information, please follow http://en.wikipedia.org/wiki/Access_control_list

     

    PicketLink3 has a permission based model. The permissions can be stored in DB or LDAP.

     

    2. Rules based approach

    Access Control decisions can be governed with rules.

    2.1 Drools

    Simple mechanism to incorporate a rules based access control mechanism. 

    Pros:

    • Simple strategy.
    • Guvnor is available to edit and manage rules.

     

    Cons:

    • Not a standard.

     

    Availability:

    PicketBox5 has Drools based authorization.

     

    2.2 OASIS XACML

    Currently the only available standard for FGA. Requires the availability of policies written in XML and the unavailability of good editing tools.  PicketBox XACML supports OASIS XACML v2.

     

    Pros:

    • OASIS standard.
    • Extremely capable framework.

     

    Cons:

    • Requires XML
    • No good tool exists to manage the policy files.

    Availability:

    PicketBox XACML is an independent library that can be incorporated into any Java framework.

     

     

    Terminology

    I differentiate the models used in access control: Enforcement vs Entitlements Models

     

    Enforcement Model: server checks access checks per call. Yes/No type of a behavior.

    Entitlement Model: client asks server for a particular context, what permissions/entitlements does the user/subject has.